Network attacks represent a major threat to the continuous operation of network devices. In a typical Distributed Denial of Service (DDoS) attack, for example, traffic emanates from a wide range of compromised systems, and packets from these systems are directed at one or more target hosts, e.g., web servers, in an attempt to overload the target hosts. When a DDoS attack occurs across an Internet Service Provider's (ISP's) network, the transmission network may become so congested that the ISP can no longer provide adequate service. Examples of DDoS attacks include Tribe Flood Network 2000 (TFN2K) and WinTrinoo.
TFN2K is a Synchronized (SYN) flood from multiple hosts to a single server on a network that prevents a Transmission Control Protocol/Internet Protocol (TCP/IP) server from servicing other users. An attacking device sends a counterfeit source address to the server so that a final acknowledgment to the server's SYNchronize-ACKnowledge (SYN-ACK) response in the handshaking sequence is not sent. As a result, the server continues to execute the handshaking sequence until the server either overloads or crashes.
Other successful attacks can occur because, but not limited to, buffer overflow, operating system or application misconfiguration, software error, weak authentication, or a combination of these vulnerabilities.
To date, major work on detecting network attacks has focused on signature based intrusion detection systems (IDS) mechanisms designed to recognize traffic based on simple rules. This strategy is ineffective in the global Internet environment.
Another approach to combating network attacks involves the use of honeypots. Honeypots are deception hosts that are typically deployed in a network with standard production-like operating and network configurations. If an intruder compromises or attacks the honeypot, the intruder's actions are recorded. A security administrator can use this recorded information to determine ways in which the basic system can be compromised. Conventional honeypots are generally associated with less complex systems, such as host devices. As network devices become more complex, it is desirable to use honeypots for improving security of these devices. One such complex device is a softswitch that routes calls between packet networks and the Public Switched Telephone Network (PSTN).
Therefore, there exists a need for systems and methods that improve the security of softswitches.